The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-38991

CVE-2026-38991: Cockpit CMS RCE Vulnerability

CVE-2026-38991 is a remote code execution flaw in Cockpit CMS 2.13.5 and earlier that allows authenticated attackers to bypass file extension filters and execute arbitrary code. This article covers technical details, affected versions, impact, and mitigation strategies.

Published: April 30, 2026

CVE-2026-38991 Overview

CVE-2026-38991 is a file extension bypass vulnerability in Cockpit CMS version 2.13.5 and earlier that allows authenticated attackers to achieve remote code execution. The vulnerability exists within the Bucket component's _isFileTypeAllowed function, where a specially crafted filename can bypass the extension filter mechanism. This allows an attacker with valid credentials to rename arbitrary files with the .php file extension, enabling arbitrary code execution on the underlying server.

Critical Impact

Authenticated attackers can bypass file type restrictions to upload and execute arbitrary PHP code, potentially leading to full server compromise, data exfiltration, and lateral movement within the network.

Affected Products

  • Cockpit CMS version 2.13.5 and earlier
  • All installations utilizing the Bucket component for file management
  • Systems running PHP with Cockpit CMS in web-accessible directories

Discovery Timeline

  • April 29, 2026 - CVE-2026-38991 published to NVD
  • April 29, 2026 - Last updated in NVD database

Technical Details for CVE-2026-38991

Vulnerability Analysis

This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw resides in the _isFileTypeAllowed function within the Bucket component of Cockpit CMS. The function is responsible for validating file extensions during upload and rename operations, but it fails to properly sanitize or validate specially crafted filenames.

When processing file rename requests, the extension validation logic can be bypassed through filename manipulation techniques. This allows an authenticated user to circumvent the intended security controls that prevent executable file types from being stored on the server. Once a file is renamed with a .php extension, the web server will interpret and execute it as PHP code when accessed directly.

The vulnerability requires authentication, meaning attackers must first obtain valid credentials to the Cockpit CMS administrative interface. However, once authenticated, even low-privilege users may be able to exploit this flaw depending on the configured permissions for the Bucket component.

Root Cause

The root cause is improper input validation in the _isFileTypeAllowed function. The extension filter implementation does not account for edge cases in filename parsing, allowing attackers to craft filenames that pass the validation check while still resulting in executable .php files on the filesystem. This is a classic file upload vulnerability pattern where server-side validation is insufficient to prevent dangerous file types from being stored and executed.

Attack Vector

The attack is network-based and requires low privileges (authenticated user access). The attacker workflow typically involves:

  1. Authenticating to the Cockpit CMS administrative interface with valid credentials
  2. Uploading a file with allowed extension containing malicious PHP code
  3. Using the Bucket component's rename functionality with a specially crafted filename to bypass the extension filter
  4. Renaming the uploaded file to have a .php extension
  5. Accessing the renamed file directly via the web server to execute arbitrary PHP code

The vulnerability does not require user interaction beyond the initial authentication step, making it straightforward to exploit once access is obtained. Successful exploitation grants the attacker the ability to execute arbitrary commands with the privileges of the web server process.

Detection Methods for CVE-2026-38991

Indicators of Compromise

  • Unexpected .php files appearing in Cockpit CMS upload directories or Bucket storage locations
  • Web server access logs showing requests to newly created PHP files in upload directories
  • File system audit logs indicating file rename operations changing extensions to .php
  • Unusual process spawning from the web server process (e.g., www-data or apache)
  • Network connections originating from the web server to external hosts

Detection Strategies

  • Monitor file system events in Cockpit CMS upload directories for file rename operations that result in .php extensions
  • Implement web application firewall (WAF) rules to detect and block suspicious file rename API requests
  • Review Cockpit CMS application logs for Bucket component file operations performed by authenticated users
  • Deploy file integrity monitoring on web server directories to detect unauthorized creation of executable files

Monitoring Recommendations

  • Enable detailed audit logging for the Cockpit CMS Bucket component
  • Configure alerts for any file extension changes to executable types (.php, .phtml, .php5, etc.)
  • Monitor authentication attempts and track user activity patterns for anomalous file operations
  • Implement centralized log collection for correlation of file system and web server events

How to Mitigate CVE-2026-38991

Immediate Actions Required

  • Upgrade Cockpit CMS to version 2.14.0 or later immediately
  • Review all files in Bucket storage directories for suspicious .php files that may indicate prior exploitation
  • Audit user accounts with access to the Bucket component and revoke unnecessary permissions
  • Implement additional web server configuration to prevent PHP execution in upload directories

Patch Information

The vulnerability has been addressed in Cockpit CMS version 2.14.0. Organizations should upgrade to this version or later to remediate the vulnerability. For detailed release information, refer to the GitHub Cockpit Release Notes. Additional technical analysis is available from Felsec Multi-Vulns Analysis.

Workarounds

  • Configure web server to disable PHP execution in upload directories using .htaccess or server configuration
  • Implement additional file type validation at the web server level independent of Cockpit CMS
  • Restrict Bucket component access to only trusted administrative users
  • Consider placing Cockpit CMS behind a VPN or IP-restricted access control
bash
# Apache configuration to prevent PHP execution in uploads directory
# Add to .htaccess or server configuration
<Directory "/path/to/cockpit/storage/uploads">
    php_admin_flag engine off
    <FilesMatch "\.php$">
        Require all denied
    </FilesMatch>
</Directory>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechCockpit
  • SeverityHIGH
  • CVSS Score8.8
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-434
  • Technical References
  • Felsec Multi-Vulns Analysis
  • GitHub Cockpit Release Notes
  • Related CVEs
  • CVE-2026-38992: Cockpit CMS RCE Vulnerability
  • CVE-2026-6626: Cockpit-HQ Cockpit RCE Vulnerability
  • CVE-2026-4631: Cockpit Remote Login RCE Vulnerability
  • CVE-2026-38993: Cockpit Path Traversal Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English